[Bro-Dev] Writing analyzer for Siemens PLC
Robin Sommer
robin at icir.org
Thu May 3 18:16:28 PDT 2018
On Wed, May 02, 2018 at 22:22 +0200, you wrote:
> 1) Reassembling packets: Some S7CommPlus packets which payload is over a
> certain amount of bytes will be split and need to be reassembled.
As a couple quick pointers, the DNP3 and DTLS analyzers face a similar
task, you might find some ideas there.
> If I want to generate a Bro events which contains the payload as a
> parameter, how do I do that?
If with "payload" you mean the raw bytes, you would pass that as a
string into the event. But it's hard to do much with raw data that in
script-land. The common way would be instead creating one event per
type of payload and then raising the corresponding event as you parse
packets and find out what's in there.
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the bro-dev
mailing list